SSL support: current state and issues
ahartmetz at gmail.com
Sat Dec 8 07:45:05 GMT 2007
I've been working on a replacement for KSSL for a couple of weeks now and it
looks like people are actually waiting for it and need it.
The place where the most important things happen in KSSL is TCPSlaveBase.
TCPSlaveBase is the base of all network ioslaves and KSSL is more or less
just woven into it. Probably more than half of the TCPSlaveBase code in trunk
is just SSL. There are some helper classes (15?) with no discernible (to me)
structure around that core of which some are user interface classes.
The approach for a replacement is to have a KTcpSocket which uses QSslSocket
as a backend for now but which is different enough from QSslSocket to allow
different backends - I'm thinking of QCA::TLS and that is in fact what I
always check when deciding on some API details.
Right now I have a TCPSlaveBase that works for non-SSL and SSL sites but only
if there are no SSL errors. There are several catches with SSL errors:
-QSslSocket has more different types of errors than QCA::TLS and QSslSocket
always tells you which certificate is involved in that error. The certificate
to an error does not seem to be easy to find in all cases with QCA::TLS.
[Scratch that, actually QSslError does never contain a nonempty
-There are errors of which I have no idea what they mean. The only
documentation that really helps there is OpenSSL's which is crap and
incomplete (parts not dealing with errors seem to be better) so I'll have to
read its code. Gah.
An example is QSslError::QSslError::CertificateSignatureFailed aka
X509_V_ERR_CERT_SIGNATURE_FAILURE in OpenSSL.
[It turns out that playing around with funny servers is the best way to find
out what the errors really mean. Also, some simple errors give a list of
several different errors...]
I started the above paragraph, didn't know what exactly to write and went back
to the code. That is why I'm answering my own questions.
Lowest on the todo list are client certificate support (because it's rather
exotic) and (way down) session reuse if that is even possible. It is/was
apparently supposed to work in KDE3 but (suprise!) according to the gnutls
test server it really doesn't work.
Next is putting together the error handling with user interaction. I have some
nice classes that will handle rules in a much more straightforward way than
before. Look up "creeping elegance" :)
You can find my work branch at branches/work/newssl. The interesting things
are mostly in kdelibs/kdecore/network/ and kdelibs/kio/kssl/ and
Sorry if that was somewhat incoherent, it's hopefully good enough to give you
a rough idea anyway :) - Ask for more info if you want.
More information about the kde-core-devel